1
<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
4
<refentrytitle>wpa_supplicant.conf</refentrytitle>
5
<manvolnum>5</manvolnum>
8
<refname>wpa_supplicant.conf</refname>
9
<refpurpose>configuration file for wpa_supplicant</refpurpose>
12
<title>Overview</title>
14
<para><command>wpa_supplicant</command> is configured using a text
15
file that lists all accepted networks and security policies,
16
including pre-shared keys. See the example configuration file,
17
probably in <command>/usr/share/doc/wpa_supplicant/</command>, for
18
detailed information about the configuration format and supported
21
<para>All file paths in this configuration file should use full
22
(absolute, not relative to working directory) path in order to allow
23
working directory to be changed. This can happen if wpa_supplicant is
24
run in the background.</para>
26
<para>Changes to configuration file can be reloaded be sending
27
SIGHUP signal to <command>wpa_supplicant</command> ('killall -HUP
28
wpa_supplicant'). Similarly, reloading can be triggered with
29
the 'wpa_cli reconfigure' command.</para>
31
<para>Configuration file can include one or more network blocks,
32
e.g., one for each used SSID. wpa_supplicant will automatically
33
select the best network based on the order of network blocks in
34
the configuration file, network security level (WPA/WPA2 is
35
preferred), and signal strength.</para>
39
<title>Quick Examples</title>
44
<para>WPA-Personal (PSK) as home network and WPA-Enterprise with
45
EAP-TLS as work network.</para>
47
<blockquote><programlisting>
48
# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
49
ctrl_interface=/var/run/wpa_supplicant
50
ctrl_interface_group=wheel
52
# home network; allow all valid ciphers
57
psk="very secret passphrase"
60
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
68
identity="user@example.com"
69
ca_cert="/etc/cert/ca.pem"
70
client_cert="/etc/cert/user.pem"
71
private_key="/etc/cert/user.prv"
72
private_key_passwd="password"
74
</programlisting></blockquote>
78
<para>WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
79
use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
80
Aegis, Interlink RAD-Series)</para>
82
<blockquote><programlisting>
83
ctrl_interface=/var/run/wpa_supplicant
84
ctrl_interface_group=wheel
90
identity="user@example.com"
92
ca_cert="/etc/cert/ca.pem"
94
phase2="auth=MSCHAPV2"
96
</programlisting></blockquote>
100
<para>EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
101
identity for the unencrypted use. Real identity is sent only
102
within an encrypted TLS tunnel.</para>
105
<blockquote><programlisting>
106
ctrl_interface=/var/run/wpa_supplicant
107
ctrl_interface_group=wheel
113
identity="user@example.com"
114
anonymous_identity="anonymous@example.com"
116
ca_cert="/etc/cert/ca.pem"
119
</programlisting></blockquote>
124
<para>IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
125
(require both unicast and broadcast); use EAP-TLS for
126
authentication</para>
128
<blockquote><programlisting>
129
ctrl_interface=/var/run/wpa_supplicant
130
ctrl_interface_group=wheel
136
identity="user@example.com"
137
ca_cert="/etc/cert/ca.pem"
138
client_cert="/etc/cert/user.pem"
139
private_key="/etc/cert/user.prv"
140
private_key_passwd="password"
143
</programlisting></blockquote>
148
<para>Catch all example that allows more or less all
149
configuration modes. The configuration options are used based
150
on what security policy is used in the selected SSID. This is
151
mostly for testing and is not recommended for normal
154
<blockquote><programlisting>
155
ctrl_interface=/var/run/wpa_supplicant
156
ctrl_interface_group=wheel
160
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
162
group=CCMP TKIP WEP104 WEP40
163
psk="very secret passphrase"
165
identity="user@example.com"
167
ca_cert="/etc/cert/ca.pem"
168
client_cert="/etc/cert/user.pem"
169
private_key="/etc/cert/user.prv"
170
private_key_passwd="password"
172
ca_cert2="/etc/cert/ca2.pem"
173
client_cert2="/etc/cer/user.pem"
174
private_key2="/etc/cer/user.prv"
175
private_key2_passwd="password"
177
</programlisting></blockquote>
181
<para>Authentication for wired Ethernet. This can be used with
182
'wired' interface (-Dwired on command line).</para>
184
<blockquote><programlisting>
185
ctrl_interface=/var/run/wpa_supplicant
186
ctrl_interface_group=wheel
195
</programlisting></blockquote>
205
<title>Certificates</title>
207
<para>Some EAP authentication methods require use of
208
certificates. EAP-TLS uses both server side and client
209
certificates whereas EAP-PEAP and EAP-TTLS only require the server
210
side certificate. When client certificate is used, a matching
211
private key file has to also be included in configuration. If the
212
private key uses a passphrase, this has to be configured in
213
wpa_supplicant.conf ("private_key_passwd").</para>
215
<para>wpa_supplicant supports X.509 certificates in PEM and DER
216
formats. User certificate and private key can be included in the
219
<para>If the user certificate and private key is received in
220
PKCS#12/PFX format, they need to be converted to suitable PEM/DER
221
format for wpa_supplicant. This can be done, e.g., with following
223
<blockquote><programlisting>
224
# convert client certificate and private key to PEM format
225
openssl pkcs12 -in example.pfx -out user.pem -clcerts
226
# convert CA certificate (if included in PFX file) to PEM format
227
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
228
</programlisting></blockquote>
232
<title>See Also</title>
235
<refentrytitle>wpa_supplicant</refentrytitle>
236
<manvolnum>8</manvolnum>
239
<refentrytitle>openssl</refentrytitle>
240
<manvolnum>1</manvolnum>